Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
We are pleased to present the 2016 Cost of Cyber Crime Study & the Risk of Business
Innovation sponsored by Hewlett Packard Enterprise. This year’s study on the annual cost of
cyber crime is based upon a representative sample of 237 organizations in six countries.
Ponemon Institute conducted the first Cost of Cyber Crime study in the United States seven years
ago. This is the fifth year we have conducted the study in the United Kingdom, Germany,
Australia and Japan and the second year in Brazil.
Cyber attacks are a reality for all organizations. In this year’s cost of cyber crime research we
focus on the importance of thriving and
Global Study at a Glance
innovating while simultaneously reducing
the financial and reputational 237 companies in 6 countries
consequences of a cyber attack. An
important finding of this research is 1,278 interviews with company personnel
that a high security profile, as 465 total attacks used to measure total cost
determined by the deployment of
specific practices and technologies, $9.5 million average annualized cost
will support business innovation and 21 percent net increase in the total cost over the
reduce the cost of cyber crime. past year
Findings reveal the following characteristics of organizations that both innovate their operations to
meet business objectives and minimize the financial and reputational consequences of a cyber
crime.
2. Information management. Information loss is now the biggest financial impact of a cyber
attack. Consequently, organizations with advanced backup and recovery were able to reduce
the impact and ensure business continuity and data protection.
3. Information governance. These companies deploy advanced procedures for backup and
recovery operations, share threat intelligence, collaborate with industry partners on security
issues and integrate security operations with enterprise risk management activities.
6. Detection and recovery. To reduce the time to determine the root cause of the attack and
control the costs associated with a lengthy time to detect and contain the attack, these
organizations are increasing their investment in technologies to help facilitate the detection
process.
7. Third-party risk. These organizations are able to reduce the risk of taking on a significant
new supplier or partner by conducting thorough audits and assessments of the third party’s
data protection practices.
9. SIEM. These companies deploy advanced security information and event management
(SIEM) with features such as the ability to monitor and correlate events in real-time to detect
critical threats and detect unknown threats through user behavior analytics.
Applying information management and governance practices reduces the cost of cyber
crime. While only 39 percent of companies represented in this research reported they deploy
advance backup and recovery operations, its use reduced the average cost of cyber crime by
nearly $2 million. Similarly, only 28 percent of companies reported having a formal information
governance program and this was shown to reduce the cost of cyber crime by nearly $1 million.
Certain technologies enable a high level of information management and governance. The
persistent use of security technologies such as advanced access management systems (49
percent of companies), extensive deployment of encryption technologies (46 percent of
companies) and enterprise deployment of encryption technologies (41 percent of companies)
were shown to reduce the cost of cyber crime. Companies in this study that relied on seven of the
listed security tools, saw the cost of cyber crime reduced by an average of $3 million.
Business innovation impacts the cost of cyber crime and certain innovations are costlier.
The acquisition or divestiture of a company was shown to increase the cost of cyber crime by 20
percent, and the launch of a significant new customer-facing application increased the cost by 18
percent. In addition, costlier attacks resulted when there was more innovation. Companies that
The persistent use of advanced SIEM resulted in an average savings of $2.77 million.
Despite the findings that the use of advanced SIEM features resulted in an average savings of
nearly $3 million, our research revealed that most SIEM features are not widely deployed. These
are the ability to monitor and correlate events in real-time to detect critical threats (only 35
percent of organizations) and to detect unknown threats through user behavior analytics (only 33
percent of organizations).
In this annual study, our goal is to quantify the economic impact of cyber attacks and observe
cost trends over time. We believe a better understanding of the cost of cyber crime will help
organizations determine the appropriate amount of investment and resources needed to prevent
or mitigate the consequences of an attack.
Figure 1 presents the estimated average cost of cyber “In our company, we have seen
crime for samples from six different countries; these costs increase exponentially.”
samples involved a total of 237 separate companies. In the VP, Healthcare, US
figure below, results of this year’s study are compared to
those from the previous four years. Cost figures are
1
converted into US dollars for comparative purposes. US organizations continue to have the
highest average cost of cyber crime ($17.36 million), and Australia has the lowest ($4.30 million).
Over the past year, the average cost of cyber crime experienced the largest increase in Brazil.
Figure 1. Total cost of cyber crime in six countries over four years
*Country-level study was not conducted in the given year
US$ millions, n = 237 separate companies
$11.56
$12.69
United States $15.42
$17.36
$6.73
$6.91
Japan $6.81
$8.39
$7.56
$8.13
Germany $7.50
$7.84
$4.72
$5.93
United Kingdom $6.32
$7.21
Brazil* $3.85
$5.27
$3.67
$3.99
Australia $3.47
$4.30
$- $2.00 $4.00 $6.00 $8.00 $10.00 $12.00 $14.00 $16.00 $18.00 $20.00
1
For this conversion, we used The Wall Street Journal’s currency conversion rates as of August 22, 2016.
But there is good news. As discussed in this report, a high security profile decreases the cost of
cyber crime—even for highly innovative companies. Those companies with a self-reported high
security profile experienced an average cost of cyber crime of $7.9 million, which is below the
average. In contrast, companies with a self-reported low security profile had an average cost of
$11.1 million (see Figure 15).
$58,095,571
$60,525,947
Maximum
$65,047,302
$73,750,667
$7,217,030
$7,574,791
Mean
$7,721,552
$9,502,045
$5,479,234
$6,021,893
Median
$5,533,432
$6,656,155
$373,387
$567,316
Minimum
$307,800
$270,107
The cost of cyber crime varies by organizational size. As shown in Figure 3, organizational
size, as measured by the number of enterprise seats or nodes, is positively correlated to
annualized cyber crime cost. This positive correlation is indicated by the upward sloping
regression line. The number of seats ranges from a low of 673 to a high of 129,000.
Moreover, smaller organizations (less than the median number of seats) experienced a higher
proportion of cyber crime costs related to malware, web-based attacks and phishing/social
engineering. In contrast, larger organizations (more than the median number of seats)
experienced a higher proportion of costs relating to denial of services, malicious insiders,
malicious code and stolen devices.
$80,000,000
$70,000,000
$60,000,000
$50,000,000
$40,000,000
$30,000,000
$20,000,000
$10,000,000
$-
Ascending order by the number of enterprise seats (size)
2
This analysis is strictly for purposes of illustration. The sample sizes in several sectors are too small to
allow for definitive conclusions regarding industry differences.
Our studies look at eight different attack vectors as the source of the cyber crime. This year, the
benchmark sample of 237 organizations experienced a total of 465 discernible cyber attacks each
week. The table below shows the number of successful attacks over the past five years, which
has steadily increased.
Phishing & social engineering (SE) attacks increased significantly from 62 percent in 2015 to 70
percent in 2016. As shown below, most companies also experienced web-based attacks,
malicious code, botnets and stolen devices.
99%
Malware
98%
62%
Phishing & SE
70%
64%
Web-based attacks
63%
59%
Malicious code
61%
59%
Botnets
55%
45%
Stolen devices
50%
51%
Denial of services
49%
35%
Malicious insiders
41%
FY 2015 FY 2016
Malicious code is the costliest problem for US companies. The UK has the highest cost related to
denial of services attacks and malware is costliest in Japan. In most countries, botnets are the
least costly type of attack.
Botnets 3% 2% 5% 3% 2% 2%
$144,542
Malicious insiders
$167,890
$126,545
Denial of services
$133,453
$96,424
Web-based attacks
$88,145
$85,959
Phishing & SE
$95,821
$81,500
Malicious code
$92,336
$33,565
Stolen devices
$31,870
$4,639
Malware
$5,110
$1,075
Botnets
$995
FY 2015 FY 2016
The time to contain the attacks can have a significant impact on the total cost of cyber crime. For
example, if it takes less than 30 days to contain a cyber attack, we estimate an average cost of
$7.7 million. In contrast, if the time to contain an attack is greater than 90 days, the average cost
increases to $12.2 million.
54.4
Malicious insiders
51.5
47.5
Malicious code
49.6
27.7
Web-based attacks
25.3
21.9
Phishing & SE
19.8
19.3
Denial of service
17.8
12.3
Stolen devices
13.7
4.1
Malware
5.6
2.2
Botnets
2.0
FY 2015 FY 2016
Information loss or theft is now the most expensive consequence of a cyber crime. In this
research we look at four primary consequences of a
cyber attack: business disruptions, the loss of “Because of the cost of downtime,
we have escalated the priority for
information, loss of revenue and damage to
equipment. backup and recovery practices.” VP
Technology Company, US
As shown in Figure 9, among the organizations
represented in this study, information loss is the
costliest consequence of an attack in FY 2016. In the context of this research, information loss is
defined as the loss or theft of sensitive and confidential information, including high-value
information assets. The costly nature of this type of attack is not surprising given the increasing
frequency of malware attacks and phishing & social engineering.
The cost of business disruption includes diminished employee productivity and business process
failures in the wake of a cyber attack; this represents 36 percent of cost. Revenue loss and
equipment damages follow at 20 percent and 4 percent, respectively.
45%
39% 39%
40% 36%
35%
35%
30%
25% 21%
20%
20%
15%
10%
4% 4%
5% 1% 2%
0%
Business disruption Information loss Revenue loss Equipment Other costs
damages
FY 2016 FY 2015
35% 33%
30%
30%
25% 23%
22%
20% 18%
16%
14%
15% 13%
9% 9%
10% 7%
5%
5%
0%
Detection Recovery Containment Investigation Incident mgmt Ex-post
response
FY 2016 FY 2015
The network layer and perimeter security continues to “At present, I don’t know if the
receive the highest allocation of funds, at 29 percent of reliance on perimeter controls alone
total dedicated IT security funding. At only seven reduces cyber crime costs.” Director,
percent, the host layer receives the lowest funding Tech Company, UK
level. Despite observing the largest increases in
application and data security spending, there may be
more opportunity here in light of continued losses due
to malware and malicious insiders.
35%
30%
29%
30%
25%
21% 21%
19% 19%
20%
5%
0%
Network layer Application Data layer Human layer Physical layer Host layer
layer
FY 2016 FY 2015
In this year’s cost of cyber crime study, we study the relationship between the most
common innovations of companies as they relate
to costs of cyber crime. In the past, experts in the “The rush to release new business
apps has increased our
security industry have commented that a more
sophisticated and stealthier adversary is behind the vulnerability.” Manager, FSI,
growing cyber risk and the associated costs. However, Australia
our research reveals that business innovations also
increase the costs associated with cyber crime.
As shown in Figure 12, more than half (51 percent) of organizations engaged a significant new
supplier or partner and 49 percent launched a significant new customer-facing application. On
average, organizations in this study were involved in four of the innovations studied. This
demonstrates that business innovation is a fact of life for security, one for which planning must be
done.
The acquisition of a new company can increase the risk of cyber crime due to the merging of
disparate security systems and confusion regarding reporting and communication channels.
Organizational changes due to such innovation can increase the risk of disgruntled and negligent
employees; therefore acquisitions or divestitures should trigger organizations to be vigilant to
avoid an increase in costly cyber attacks.
Figure 13. Net percentage increase in the total cost of cyber crime for eight business
innovations
n = 237 separate companies
Figure 14. Total cost of cyber crime by the number of innovations experienced
US$ millions, n = 237 separate companies
$14.0 $12.8
$11.5
$12.0 $11.0
$10.4
$10.0 $9.4
$8.2 $8.1
$8.0 $7.0 $7.2
$6.0
$4.0
$2.0
$-
Zero One Two Three Four Five Six Seven Eight
This study’s findings show that a high security profile decreases the cost of cyber crime
for innovative companies. Organizations that have a high security profile experienced an
average cost of cyber crime of $7.9 million, which is below the average. In contrast, organizations
with a low security profile have an average cost of $11.1 million, as shown in Figure 15.
Figure 15. Total cost of cyber crime for low versus high security profiles
US dollars, n = 237 separate companies
$12,000,000 $11,113,960
$10,000,000
$7,890,130
$8,000,000
$6,000,000
$4,000,000
$2,000,000
$-
Low security profile (at or below 10 items) High security profile (above 10 items)
Figure 16. The total cost interrelationship between business innovation and security
profile
US$ millions, n = 237 separate companies
$16.00
$13.45
$14.00
$12.00
$9.35 $9.40
$10.00
$8.00 $6.63
$6.00
$4.00
$2.00
$-
Low security profile High security profile
As shown in Figure 17, the majority of organizations are not adopting information management
and governance practices that could reduce the cost of cyber crime. Only 39 percent of
companies have advanced procedures for backup and recovery. Only 28 percent of companies
have a formal information governance program.
Figure 17. Eight steps taken to ensure information management and governance
n = 237 separate companies
Figure 18 Cost differentials for the deployment of eight information management and
governance practices
US$ millions, n = 237 separate companies
Figure 19. Seven security technologies used to enable information management and
governance
n = 237 separate companies
Figure 20. Cost differentials for the persistent use of security tools that enable information
management and governance
US$ millions, n = 237 separate companies
Seven $(3.17)
Six $(2.19)
Five $(1.65)
Four $(1.16)
Three $(0.62)
Two $0.28
One $0.99
None $2.85
For the first time, we measure the use of nine application security controls in the reduction of the
cost of cyber crime. As shown in Figure 21,
the application security controls most often “We need to tighten up our SDLC in order to
reduce the risk and costs.” Manager,
used are penetration testing (53 percent of
organizations), security patch management Industrial Company, Germany
(47 percent of organizations), dynamic
scanning (44 percent of organizations) and static scanning (44 percent of organizations).
Based on the findings of this study, it is surprising application security controls are not more
widely deployed. The pressure to “rush to release” is a huge risk because, as shown in Figure 13,
the launch of major customer-facing applications increases the average cost of cyber crime by 18
percent.
Figure 22. Cost differentials for the persistent use of application security controls
US$ millions, n = 237 separate companies
8 to 9 $(1.90)
6 to 7 $(1.40)
4 to 5 $(0.50)
2 to 3 $2.00
0 to 1 $1.80
$(2.50) $(2.00) $(1.50) $(1.00) $(0.50) $- $0.50 $1.00 $1.50 $2.00 $2.50
Figure 23 shows five advanced SIEM features. The most popular features are the ability to
monitor and correlate events in real-time to detect critical threats (35 percent of organizations)
and detect unknown threats through user behavior analytics (33 percent of organizations).
The findings of the present research demonstrate the benefits of deploying advanced SIEM and
analytics. Malicious insiders prove costly, and they are hard to detect in any organization. Thus,
security professionals need to consider utilizing user behavior analytics and other advanced
SIEM features. Advanced SIEM reduces the risk of cyber crime by an average of almost $3
million. If this approach is not employed, costs increase by an average of $2 million.
Figure 24. Cost differentials for the persistent use of advanced SIEM features
US$ millions, n = 237 separate companies
Five $(2.77)
Four $(1.86)
Three $(1.20)
Two $(0.48)
One $(0.60)
None $2.00
To determine the average cost of cyber crime, the 237 organizations in the study were asked to
report what they spent to deal with cyber crimes experienced over four consecutive weeks. Once
costs over the four-week period were compiled and validated, these figures were then grossed-up
3
to determine the annualized cost.
In our experience, a traditional survey approach does not capture the necessary details required
to extrapolate cyber crime costs. Therefore, we conduct field-based research that involves
interviewing senior-level personnel about their organizations’ actual cyber crime incidents.
Approximately 10 months of effort is required to recruit companies, build an activity-based cost
model to analyze the data, collect source information and complete the analysis.
For consistency purposes, our benchmark sample consists of only larger-sized organizations (i.e.,
4
a minimum of approximately 1,000 enterprise seats ). The study examines the total costs
organizations incur when responding to cyber crime incidents. These include the costs to detect,
recover, investigate and manage the incident response. Also covered are the costs that result in
after-the-fact activities and efforts to contain additional costs from business disruption and the
loss of customers. These costs do not include the plethora of expenditures and investments
made to sustain an organization’s security posture or compliance with standards, policies and
regulations.
The purpose of this research is to provide guidance on what a successful cyber attack can cost
an organization. Our cost of cyber crime study is unique in addressing the core systems and
business process-related activities that drive a range of expenditures associated with a
company’s response to cyber crime. In this study, we define a successful attack as one that
results in the infiltration of a company’s core networks or enterprise systems. It does not include
the plethora of attacks stopped by a company’s firewall defenses.
3
The gross-up statistic: Annualized revenue = [cost estimate]/[4/52 weeks].
4
Enterprise seats refer to the number of direct connections to the network and enterprise systems.
! The costs related to dealing with the cyber crime or what we refer to as the internal cost
activity centers.
! The costs related to the consequences of the cyber attack or what we refer to as the external
consequences of the cyber attack.
Equipment damage
Recovery
As shown above, we analyze the internal cost centers sequentially—starting with the detection of
the incident and ending with the ex-post or final response to the incident, which involves dealing
with lost business opportunities and business disruption. In each of the cost activity centers we
asked respondents to estimate the direct costs, indirect costs and opportunity costs. These are
defined as follows:
! Direct cost – the direct expense outlay to accomplish a given activity.
! Indirect cost – the amount of time, effort and other organizational resources spent, but not as
a direct cash outlay.
! Opportunity cost – the cost resulting from lost business opportunities as a consequence of
reputation diminishment after the incident.
External costs, including the loss of information assets, business disruption, equipment damage
and revenue loss, were captured using shadow-costing methods. Total costs were allocated to
nine discernible attack vectors: viruses, worms, trojans; malware; botnets; web-based attacks;
This study addresses activities related to the core processes that drive a range of expenditures
associated with a company’s cyber attack. The five internal cost activity centers in our framework
6
include:
! Detection: Activities that enable an organization to reasonably detect and possibly deter
cyber attacks or advanced threats. This includes allocated (overhead) costs of certain
enabling technologies that enhance mitigation or early detection.
! Investigation and escalation: Activities necessary to thoroughly uncover the source, scope,
and magnitude of one or more incidents. The escalation activity also includes the steps taken
to organize an initial management response.
! Containment: Activities that focus on stopping or lessening the severity of cyber attacks or
advanced threats. These include shutting down high-risk attack vectors such as insecure
applications or endpoints.
! Recovery: Activities associated with repairing and remediating the organization’s systems
and core business processes. These include the restoration of damaged information assets
and other IT (data center) assets.
! Ex-post response: Activities to help the organization minimize potential future attacks. These
include containing costs from business disruption and information loss as well as adding new
enabling technologies and control systems.
In addition to the above process-related activities, organizations often experience external
consequences or costs associated with the aftermath of successful attacks – which are defined
as attacks that infiltrate the organization’s network or enterprise systems. Accordingly, our
research shows that four general cost activities associated with these external consequences are
as follows:
! Cost of information loss or theft: Loss or theft of sensitive and confidential information as a
result of a cyber attack. Such information includes trade secrets, intellectual property
(including source code), customer information and employee records. This cost category also
includes the cost of data breach notification in the event that personal information is
wrongfully acquired.
! Cost of business disruption: The economic impact of downtime or unplanned outages that
prevent the organization from meeting its data processing requirements.
! Cost of equipment damage: The cost to remediate equipment and other IT assets as a result
of cyber attacks on information resources and critical infrastructure.
! Lost revenue: The loss of customers (churn) and other stakeholders because of system
delays or shutdowns as a result of a cyber attack. To extrapolate this cost, we use a shadow
costing method that relies on the “lifetime value” of an average customer as defined for each
participating organization.
5
We acknowledge that these nine attack categories are not mutually independent and they do not represent
an exhaustive list. Classification of a given attack was made by the researcher and derived from the facts
collected during the benchmarking process.
6
Internal costs are extrapolated using labor (time) as a surrogate for direct and indirect costs. This is also
used to allocate an overhead component for fixed costs such as multiyear investments in technologies.
The cost of cyber crime benchmark instrument is designed to collect descriptive information from
IT, information security and other key individuals about the actual costs incurred either directly or
indirectly as a result of cyber attacks actually detected. Our cost method does not require
subjects to provide actual accounting results, but instead relies on estimation and extrapolation
from interview data over a four-week period.
Cost estimation is based on confidential diagnostic interviews with key respondents within each
benchmarked organization. Table 2 reports the frequency of individuals by their approximate
functional discipline that participated in this year’s global study. As can be seen, this year’s study
7
in six countries involved 2,050 interviews for 237 benchmarked companies.
Data collection methods did not include actual accounting information, but instead relied upon
numerical estimation based on the knowledge and experience of each participant. Within each
category, cost estimation was a two-stage process. First, the benchmark instrument required
individuals to rate direct cost estimates for each cost category by marking a range variable
defined in the following number line format.
How to use the number line: The number line provided under each data breach cost category is one way to
obtain your best estimate for the sum of cash outlays, labor and overhead incurred. Please mark only one
point somewhere between the lower and upper limits set above. You can reset the lower and upper limits of
the number line at any time during the interview process.
Post your estimate of direct costs here for [presented cost category]
LL ______________________________________|___________________________________ UL
7
Last year’s study involved 2,128 individuals or an average of 8.44 interviews for each benchmarked
company.
Cost estimates were then compiled for each organization based on the relative magnitude of
these costs in comparison to a direct cost within a given category. Finally, we administered
general interview questions to obtain additional facts, including estimated revenue losses as a
result of the cyber crime.
The size and scope of survey items was limited to known cost categories that cut across different
industry sectors. In our experience, a survey focusing on process yields a higher response rate
and higher quality of results. We used a paper instrument, rather than an electronic survey, to
provide greater assurances of confidentiality.
To maintain complete confidentiality, the survey instrument did not capture company-specific
information of any kind. Subject materials contained no tracking codes or other methods that
could link responses to participating companies.
We carefully limited items to only those cost activities we considered crucial to the measurement
of cyber crime cost to keep the benchmark instrument to a manageable size. Based on
discussions with learned experts, the final set of items focused on a finite set of direct or indirect
cost activities. After collecting benchmark information, each instrument was examined carefully
for consistency and completeness. In this study, a few companies were rejected because of
incomplete, inconsistent or blank responses.
Field research was conducted over several months concluding in August 2016. To maintain
consistency for all benchmark companies, information was collected about the organizations’
cyber crime experience was limited to four consecutive weeks. This time frame was not
necessarily the same time period as other organizations in this study. The extrapolated direct,
indirect and opportunity costs of cyber crime were annualized by dividing the total cost collected
over four weeks (ratio = 4/52 weeks).
Recruitment for the annual study started with a personalized letter, with a follow-up phone call to
1,688 contacts for possible participation. Of these, 237 organizations permitted Ponemon Institute
to perform the benchmark analysis.
Pie Chart 1 summarizes the current sample of participating companies based on 17 primary
industry classifications. As can be seen, financial services (16 percent) represent the largest
segment. This includes retail banking, insurance, brokerage and credit card companies. The
second and third largest segments include industrial (12 percent) and technology (12 percent).
The technology segment includes companies in software, hardware and IT management.
2%
2% 16% Financial services
4% Technology
Industrial
4% Public sector
Services
5% Retail
12% Consumer products
Utilities & energy
Transportation
7% Healthcare
Media
Hospitality
Communications
9% 12%
Education & research
Pharmaceutical
Automotive
10% 10% Agriculture
14% 11%
< 2,000
2,000 to 5,000
19%
15%
5,001 to 10,000
10,001 to 15,000
15,001 to 25,000
> 25,000
17%
24%
This study utilizes a confidential and proprietary benchmark method that has been successfully
deployed in earlier Ponemon Institute research. However, there are inherent limitations to
benchmark research that need to be carefully considered before drawing conclusions from
findings.
! Non-statistical results: The purpose of this study is descriptive rather than normative
inference. The current study draws upon a representative, non-statistical sample of
organizations of mostly larger entities experiencing one or more cyber attacks during a four-
week fielding period. Statistical inferences, margins of error and confidence intervals cannot
be applied to these data given the nature of our sampling plan.
! Non-response: The current findings are based on a small representative sample of completed
case studies. Benchmark surveys were initially mailed to a targeted group of organizations,
all believed to have experienced one or more cyber attacks. A total of 252 companies
provided usable benchmark surveys. Non-response bias was not tested which means it is
possible that companies that did not participate are substantially different in terms of the
methods used to manage the cyber crime containment and recovery process, as well as the
underlying costs involved.
! Sampling-frame bias: Given that our sampling frame is judgmental, the quality of results is
influenced by the degree to which the frame is representative of the population of companies
being studied. It is our belief that the current sampling frame is biased toward companies with
more mature information security programs.
! Unmeasured factors: To keep the survey concise and focused, we decided to omit other
important variables from our analysis such as leading trends and organizational
characteristics. The extent to which omitted variables might explain benchmark results cannot
be estimated at this time.
! Estimated cost results. The quality of survey research is based on the integrity of confidential
responses received from companies. While certain checks and balances can be incorporated
into the survey process, there is always the possibility that respondents did not provide
truthful responses. In addition, the use of a cost estimation technique (termed shadow costing
methods) rather than actual cost data could create significant bias in presented results.
Ponemon Institute
Advancing Responsible Information Management
Ponemon Institute is dedicated to independent research and education that advances responsible
information and privacy management practices within business and government. Our mission is
to conduct high quality, empirical studies on critical issues affecting the management and security
of sensitive information about people and organizations.